Re: [WIRELESS-LAN] Recent Radius Meltdowns

[Arran Cudbard-Bell]

> On 10 Mar 2016, at 22:36, Curtis K. Larsen <curtis.k.lar...@utah.edu> wrote:
> 
> About a year and a half ago I did pretty exhaustive testing of RADIUS load 
> with the Spirent
> traffic generator and with the assistance of PacketFence developers.  
> (PacketFence is also based
> on FreeRADIUS).  They suggested we tweak the MaxConcurrentAPI setting on our 
> test AD server.  So
> we did, but unfortunately it seemed to make no difference at all in the 
> number of authentications
> per second we could process from the load generator.
> 
> One thing we found though was that if we ran the authentications against a 
> flat file on the RADIUS
> server itself we could process six times more authentications.  The bottom 
> line is that whether it
> is SAMBA, NTLM, AD, or network latency itself I can't say - but I do know 
> that if I eliminate all
> of them performance increases dramatically.
> 
> Bottom line:  Use EAP-TLS, and avoid checking LDAP/AD except when absolutely 
> necessary.  PEAP is
> vulnerable to fake AP/MITM attacks anyway.

PEAP and TTLS are both horrifically insecure. I have a presentation on it 
coming up, i'll post the video when it's complete.

The OSX/IOS/Windows supplicants are all vulnerable to bid down attacks when 
there's no wireless profile for the network.

The server can request EAP-TTLS and they'll happily oblige, meaning you don't 
even need to crack the DES keys in MSCHAPv2.

> 
> If you must check AD all the time - get a lot of servers, load balance them, 
> monitor and graph
> authentications down to the second.  That way you'll be more likely to 
> identify the cause of an
> issue.

It doesn't help that FreeRADIUS's processing model is synchronous.  We're 
looking at fixing that, but after considering all the options it really looks 
like the only model we can adopt is using our own stack. That means adapting 
the current unlang interpreter to provide coroutine like behaviour, and 
reworking function calls in any module that performs blocking I/O.

It's not trivial, not sponsored, and there's only two full time developers so 
it's going to take a while.

-Arran


Arran Cudbard-Bell <a.cudba...@freeradius.org>
FreeRADIUS development team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: [WIRELESS-LAN] Apple OSX 10.11 beta

[Arran Cudbard-Bell]

> On Aug 11, 2015, at 1:37 AM, Jason Cook  wrote:
> 
> Thanks for all the responses on this. Upgrade worked a treat.
> 
> Was a better response than vendor support but to be fair we hadn’t logged one 
> with freeradius

And you wouldn't need to of, as we had stable versions with the MPPE 
calculation issues fixed prior to the release of iOS9.

We've known about it for the past six months:


https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/doc/ChangeLog#L56

Prior to any of the attention it got due to iOS9/Google/Android/Marshmallow.

The later fix for EAP-TTLS was due to some (mostly) duplicate code missed in 
the first round of patches. EAP-TLS and PEAP have worked fine since 2.2.7.

The reason why you see an Access-Accept and the same unencrypted portion is 
because they are the same.  What differs is the method used to derive the 
session keys returned to the NAS in the MPPE Key attributes.

TLS 1.2 uses a different method to TLS < 1.2.  As a result of that change the 
server and the supplicant were deriving different values for the encryption 
keys used for WPA/WPA2 and that was causing the session to fail.

In the case of Radiator, it was the crypto library that had not been updated to 
use the new method of key derivation.

The reason why the final release of iOS9 worked, was because Apple discovered 
the compatibility issues and disabled TLS 1.2

Google also discovered the compatibility issues, but decided that they hated 
their users and did not disable TLS 1.2.  Result here:

https://code.google.com/p/android/issues/detail?id=188867

-Arran

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: [WIRELESS-LAN] 802.1X and Heartbleed...

[Arran Cudbard-Bell]

On 15 Apr 2014, at 21:55, Jason Watts jwa...@pratt.edu wrote:

 Thanks for the clarification.

FreeRADIUS 2.2.5 and 3.0.3 will contain heartbleed attack detection 
code which will not only prevent an attack, but also produce explicit 
log output indicating it was attempted.

It has been confirmed that versions  2.2.5 and 3.0.3 are vulnerable
when linked against a vulnerable version of libssl.

Note: Even when updating to FreeRADIUS 2.2.5 and 3.0.3 if client 
libraries are linked against a vulnerable version of libssl, the server
will be vulnerable to attack from compromised LDAP/SQL/HTTP servers if
TLS is used to secure the connection.

Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team

FD31 3077 42EC 7FCD 32FE 5EE2 56CF 27F9 30A8 CAA2


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: [WIRELESS-LAN] 802.1x vs web-portal

[Arran Cudbard-Bell]

On 19 Nov 2013, at 21:00, Ken LeCompte lecom...@oit.rutgers.edu wrote:

 One major consideration is that the use of https for more and more webpages 
 is resulting in more confused users not getting redirected to captive portal 
 login pages.

A workaround for some devices would be to to add a WISPr responder to the 
portal. It will work will all recent iOS and OSX devices, some Windows Phones, 
and Windows 8/8.1.

http://msdn.microsoft.com/en-us/library/windows/hardware/dn408675.aspx

There is no perfect solution to portal redirection, but WISPr does seem a good 
way forward.

-Arran

Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Multithreaded krb5 module for FreeRADIUS 2.x

[Arran Cudbard-Bell]

 Hi Aaron,
 
 Sorry for the late reponse to this thread (I'm catching up on 
 backlogged mail).
 
 I'm not sure if you got any volunteers, but we'd be very interested
 in testing this out (with MIT krb5 at least). Thanks for doing this
 work.


Hi Shumon,

Because no one responded on the FreeRADIUS lists either. I merged the new code 
over to the Master branch and junked the copy that worked with 2.x.x.

You're welcome to try out the multithreaded version on master, but your config 
may need some modifications.

There's still a bit more work to do so we can re-use contexts between requests, 
instead of cloning a master context and then freeing it after were done. But I 
wanted confirmation that the current code actually worked before I spent more 
time on it.

-Arran

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] About the eduroam configuration on Freeradius

[Arran Cudbard-Bell]

Hi,

It is an exceptionally bad idea to do what you're proposing, as it prevents 
local users from verifying their eduroam configuration actually works at your 
site before roaming to other sites.

Yes, you can display a test page, but then you have to make sure that every 
user sets the priority of the SSIDs correctly so that your local SSID has a 
higher precedence, else every time they reconnect to wireless they'll get the 
test page.

Many universities have transitioned to a single eduroam SSID which serves both 
local and remote users. They then assign different VLANs or wireless profiles 
dynamically based on where the user is authenticating from.

This is, IMHO, far easier to support, and far better for the students/staff 
using the service.

The only argument i've heard against eduroam as the primary SSID is that it 
reduces awareness of the university brand. 

-Arran
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Multithreaded krb5 module for FreeRADIUS 2.x

[Arran Cudbard-Bell]

(apologies for those on netman, this should have gone to wireless-lan 
originally)

Hi All,

A while back there was some discussion about the current krb5 module in 
FreeRADIUS being single threaded, and that it may no longer be necessary for it 
to be single threaded.

It transpires that both MIT and Heimdal libraries are now thread safe, MIT 
since either 1.4.x or 1.4.4 (unsure) and Heimdal since around 0.7 
(documentation is fuzzy).

I can't test beyond compiling the code against the kerberos library, and maybe 
setting up a test KDC/TGS. But for this to be put into the stable branch it 
really needs to be tested under load, against a range of keberos 
implementations.

Were looking for volunteers, preferably a mix of deployments using either MIT 
or Heimdal. The new module should just drop in for any v2.1.x deployment once 
compiled, as it doesn't use any new core API functions.

Change list:
* Both - Check that krb5 library was compiled with threading support on 
startup.
* Both - Clone context on each request to ensure thread safety.
* Both - Move service principal parsing so it's done at intialisation 
only  (instead of on every request).
* Both - Improved return codes, will now reflect revoked 
access/password expiry (USERLOCK), Uknown client principal (NOTFOUND), as well 
as bad password (REJECT), and other errors (FAIL). Before the module returned 
REJECT for almost everything.
* Both - Mark module as thread safe, config check safe (will be 
validated on -C), and hup safe (config will be reloaded on SIGHUP)
* Both - Switch more messages to use RDEBUG so they'll be printed in 
conditional debug (useful for production servers with radmin enabled).
* MIT - Move service principal string to service principal conversion 
so that it's done at initialisation only  (instead of on every request).
* MIT - Move options configuration so they're done at initialisation 
only  (instead of on every request).
* MIT - Switch to using krb5_get_init_creds_password and 
krb5_verify_init_creds to validate TGT instead of old twisty logic.
* MIT - Cache option removed as krb5_verify_init_creds disables the 
replay cache on its own.

For those wanting to test:
git clone g...@github.com:arr2036/freeradius-server.git
cd freeradius-server
git checkout threaded_krb5

Report issues on: http://bugs.freeradius.org, and send feedback to either the 
list or me directly.

Thanks,
Arran
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 802.1x Wireless Printers- revisited

[Arran Cudbard-Bell]

On 12 Dec 2012, at 15:43, Lee H Badman lhbad...@syr.edu wrote:

 Has been a while: What wireless printers have you found that successfully 
 work on 802.1x based wireless networks- particularly using MS-CHAPv2/PEAP, 
 WPA2, and AD back-end (as if the printer was just another host on the secure 
 network).

If the reason why you're asking is because you've had issues with the above 
setup, and you happen to be using HP printers.

The supplicant on HP printers before firmware releases in 2011 would not work 
correctly if using PEAP with the inner tunnel terminating on FreeRADIUS, 
because HP had misimplemented the draft specification, and included full EAP 
headers in the inner tunnel, when they were meant to send cut down EAP headers.

Newer firmware for HP printers should contain the fix.

If you're not using HP printers then apologies for the noise.

-Arran

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] 802.1x Wireless Printers- revisited

[Arran Cudbard-Bell]

On 13 Dec 2012, at 16:08, phanset phan...@utk.edu wrote:

 Has been a while: What wireless printers have you found that successfully 
 work on 802.1x based wireless networks- particularly using MS-CHAPv2/PEAP, 
 WPA2, and AD back-end (as if the printer was just another host on the 
 secure network).
 
 If the reason why you're asking is because you've had issues with the above 
 setup, and you happen to be using HP printers.
 
 The supplicant on HP printers before firmware releases in 2011 would not 
 work correctly if using PEAP with the inner tunnel terminating on FreeRADIUS,
 
 
 Arran,
 
 Is this problem just with FreeRADIUS or should it be with all flavors of 
 RADIUS like
 RADIATOR, Microsoft IAS  NPS, CISCO ACS  ISE, Juniper Steel-Belted?

The original implementation was known to work with Microsoft IAS at least (and 
most likely NPS). For the others the only way to know would be to test.

-Arran
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Eduroam technical questions

[Arran Cudbard-Bell]

The problem comes in implementing the ban.

Some institutions allow an anonymous outer identity for the EAP tunnel, which, 
so long as it contains enough information for routing can contain an arbitrary 
user id. You ban one and the user can just change it and still get access. You 
never get to see the inner id unless the homeserver has been configured to send 
it back in the Access-Accept.

The best solution is to contact the home institution directly and get their 
guys to ban the user. This will be easier once more institutions have adopted 
CUI as then there'll be a definitive linking value between a user and a 
session. Even without CUI it should still be possible to figure out the inner 
ID using timestamps and attributes included in the authentication request(s), 
it's just harder to automate the process.

If you're using FreeRADIUS you might want to take a look at the example CUI 
configurations, and implement them at the same time as the your eduroam service.

-Arran



 Ah. You clever fella. 
 
 Thanks for turning on the light.
 
 Lee H. Badman
 Network Architect/Wireless TME
 ITS, Syracuse University
 315.443.3003
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hanset, Philippe C 
 [phan...@utk.edu]
 Sent: Tuesday, November 13, 2012 10:48 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Eduroam technical questions
 
 Lee,
 
 Your campus only terminates EAP sessions for YOUR users.
 For visitors, you take the initial TLS negotiation (with the outer tunnel 
 identity e.g. lhbad...@syr.edu, or anonym...@syr.edu, or @syr.edu ) and you 
 pass it to the top level.
 You never deal with the EAP-type for visitors.
 In your RADIUS server you basically have a switch: pass to top level OR 
 terminate locally.
 Take a look at some config examples: 
 http://www.eduroamus.org/radius_configuration
 
 Philippe
 
 
 On Nov 13, 2012, at 10:12 AM, Lee H Badman lhbad...@syr.edu
  wrote:
 
 Thanks, Phillipe-
  
 I'm talking more from supplicant config side. So we use Xpressconnect to 
 configure our supplicants to only use MS-CHAPv2 /PEAP while disabling the 
 other EAP types, and in RADIUS only have this single EAP type enabled. So if 
 our Eduraom SSID required this EAP type, and someone showed up and hit our 
 EDUROAAM with their supplicant configured for EAP-TLS for EDUROAM, a 
 reconfiguration would be required, no? Or am I really missing something 
 important?
  
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hanset, Philippe C 
 [phan...@utk.edu]
 Sent: Tuesday, November 13, 2012 10:01 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Eduroam technical questions
 
 Lee,
 
 eduroam is EAP agnostic.
 All that the roaming does is pass the initial SSL/TLS tunnel to the home 
 institution.
 Then in the tunnel, exchanges occur between your device and your home 
 institution
 So, as long as your institution does a tunneled EAP, your are done. The 
 visited institution
 has nothing to do with oyur EAP -method.
 
 EAP-TTLS, PEAP, EAP-TLS ... all tunneled will work
 
 Philippe
 
 On Nov 13, 2012, at 9:52 AM, Lee H Badman lhbad...@syr.edu
  wrote:
 
 I have read through the most recent docs, not quite grasping:
  
 - If we use MS-CHAPv2 w PEAP on our campus, and that's all we want to use, 
 does that exclude us from Eduroam?
  
 - If not, what happens when I roam to another campus that uses TLS, or visa 
 versa? The goal is autoconnection, with no reconfig, but is everyone on 
 Eduroam really and truly using the same EAP with no need to reconfigure as 
 you roam campus to campus?
  
 Sorry to be thick, I realize a lot of time went in to the documents.
  
  
 Lee H. Badman
 Network Architect/Wireless TME
 ITS, Syracuse University
 315.443.3003
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found 
 athttp://www.educause.edu/groups/.
 
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found 
 athttp://www.educause.edu/groups/.
 
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.
 
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Eduroam technical questions

[Arran Cudbard-Bell]

On 14 Nov 2012, at 18:24, Lee H Badman lhbad...@syr.edu wrote:

 Can always block MAC on WLAN too. Simple, nuclear, elegant.
 

And completely ineffective if the user has any technical skill whatsoever.

shinyhead:freeradius-server-master arr2036$ ifconfig en0
en0: flags=8863UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST mtu 1500
options=2bRXCSUM,TXCSUM,VLAN_HWTAGGING,TSO4
ether 7c:6d:62:xx:xx:xx

shinyhead:freeradius-server-master arr2036$ sudo ifconfig en0 ether 
11:22:33:44:55:66

en0: flags=8863UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST mtu 1500
options=2bRXCSUM,TXCSUM,VLAN_HWTAGGING,TSO4
ether 11:22:33:44:55:66 
media: autoselect (none)
status: inactive

-Arran


  
  
 
 
 -Original Message-
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Craig Simons
 Sent: Wednesday, November 14, 2012 1:13 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Eduroam technical questions
 
 Our approach is to block MAC addresses of banned machines directly on the 
 switch port using vendor specific features on our switching gear. However, as 
 the Radius requests are still created by your own equipment (which would 
 presumably have MAC address Calling-Station-Id information), you could still 
 reject outer EAP tunnel requests before they are proxied to the user's home 
 institution.
 
 - Craig
 
 
 
 On 2012-11-14, at 12:45 AM, Arran Cudbard-Bell a.cudba...@freeradius.org 
 wrote:
 
 The problem comes in implementing the ban.
 
 Some institutions allow an anonymous outer identity for the EAP tunnel, 
 which, so long as it contains enough information for routing can contain an 
 arbitrary user id. You ban one and the user can just change it and still get 
 access. You never get to see the inner id unless the homeserver has been 
 configured to send it back in the Access-Accept.
 
 The best solution is to contact the home institution directly and get their 
 guys to ban the user. This will be easier once more institutions have 
 adopted CUI as then there'll be a definitive linking value between a user 
 and a session. Even without CUI it should still be possible to figure out 
 the inner ID using timestamps and attributes included in the authentication 
 request(s), it's just harder to automate the process.
 
 If you're using FreeRADIUS you might want to take a look at the example CUI 
 configurations, and implement them at the same time as the your eduroam 
 service.
 
 -Arran
 
 
 
 Ah. You clever fella. 
 
 Thanks for turning on the light.
 
 Lee H. Badman
 Network Architect/Wireless TME
 ITS, Syracuse University
 315.443.3003
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hanset, Philippe C 
 [phan...@utk.edu]
 Sent: Tuesday, November 13, 2012 10:48 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Eduroam technical questions
 
 Lee,
 
 Your campus only terminates EAP sessions for YOUR users.
 For visitors, you take the initial TLS negotiation (with the outer tunnel 
 identity e.g. lhbad...@syr.edu, or anonym...@syr.edu, or @syr.edu ) and you 
 pass it to the top level.
 You never deal with the EAP-type for visitors.
 In your RADIUS server you basically have a switch: pass to top level OR 
 terminate locally.
 Take a look at some config examples: 
 http://www.eduroamus.org/radius_configuration
 
 Philippe
 
 
 On Nov 13, 2012, at 10:12 AM, Lee H Badman lhbad...@syr.edu
 wrote:
 
 Thanks, Phillipe-
 
 I'm talking more from supplicant config side. So we use Xpressconnect to 
 configure our supplicants to only use MS-CHAPv2 /PEAP while disabling the 
 other EAP types, and in RADIUS only have this single EAP type enabled. So 
 if our Eduraom SSID required this EAP type, and someone showed up and hit 
 our EDUROAAM with their supplicant configured for EAP-TLS for EDUROAM, a 
 reconfiguration would be required, no? Or am I really missing something 
 important?
 
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] on behalf of Hanset, Philippe C 
 [phan...@utk.edu]
 Sent: Tuesday, November 13, 2012 10:01 AM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: Re: [WIRELESS-LAN] Eduroam technical questions
 
 Lee,
 
 eduroam is EAP agnostic.
 All that the roaming does is pass the initial SSL/TLS tunnel to the home 
 institution.
 Then in the tunnel, exchanges occur between your device and your home 
 institution
 So, as long as your institution does a tunneled EAP, your are done. The 
 visited institution
 has nothing to do with oyur EAP -method.
 
 EAP-TTLS, PEAP, EAP-TLS ... all tunneled will work
 
 Philippe
 
 On Nov 13, 2012, at 9:52 AM, Lee H Badman lhbad...@syr.edu
 wrote:
 
 I have read through the most recent docs, not quite grasping:
 
 - If we use MS-CHAPv2 w PEAP on our campus, and that's all we want to 
 use, does that exclude

Re: [WIRELESS-LAN] FreeRADIUS performance question

[Arran Cudbard-Bell]

 The easiest way to disable the cache is to set the environment
 variable KRB5RCACHETYPE to none before starting freeradius.
 The MIT Kerberos software on our RADIUS servers though is so
 old (v1.3.x) that it didn't support this, so I had to disable
 it by writing a patch to the source code (in rlm_krb5.c). If 
 you need that, let me know and I can send it. I think KRB5RCACHETYPE
 appeared in v1.4.


We've added an option to disable the cache to rlm_krb5, this will be available 
in 2.2.0, which should be released ~10/09/12.

You will need to add 'cache = no' to your existing krb5 configuration file.

In what will become 3.0 this is already set in the default configuration file.

Thanks to Shumon Huque for testing.

-Arran
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] FreeRADIUS performance question

[Arran Cudbard-Bell]

On 23 Aug 2012, at 01:30, Shumon Huque shu...@upenn.edu wrote:

 Jim,
 
 We've been through this, and I'll describe what we did to
 address it.
 
 There are two problems with the freeradius code that cause
 performance problems with a Kerberos backend:
 
 1) It doesn't disable the replay cache, which isn't needed
 for password verification operations (as opposed to native
 Kerberos), and causes an unnecessary performance bottleneck,
 as every authentication has to compare authenticators against
 a large cache of recently seen authenticators.
 
 The easiest way to disable the cache is to set the environment
 variable KRB5RCACHETYPE to none before starting freeradius.
 The MIT Kerberos software on our RADIUS servers though is so
 old (v1.3.x) that it didn't support this, so I had to disable
 it by writing a patch to the source code (in rlm_krb5.c). If 
 you need that, let me know and I can send it. I think KRB5RCACHETYPE
 appeared in v1.4.
 

So an interesting question would be - is anyone actually using EAP-Kerberos? If 
not, i'll disable caching by default and add a note to the configuration. AFAIK 
no supplicant has actually implemented any of the client side infrastructure to 
distribute tickets to other applications. It's annoying, SSO where you got your 
TGT from an 802.1X authentication would be really neat.

 2) Although freeradius is multi-threaded, the Kerberos authentication
 module is single-threaded. I believe recent versions of both
 MIT and Heimdal Kerberos libraries are threadsafe, but I don't 
 think the freeradius code has been updated for this. So the only 
 way to scale the performance of the RADIUS infrastructure is to 
 deploy more servers (they don't have to by physical, you can install
 multiple software instances on the same server if you have extra
 CPUs or cores).
 
 We currently have 8 freeradius servers running on 4 physical
 servers (2 per box). And we balance the wireless controllers
 across those.

As the university I used to work at, we were handling a similar load with two 
Xserve G5s, but we were using LDAP and not Kerberos.

 
 We actually implemented (1) first, and it instantly fixed
 the performance problems we were seeing at the time. But we 
 wanted to head off the second problem and stay well ahead of 
 demand, so started deploying multiple freeradius instances per 
 server.
 
 One of our staff members is also looking at patching freeradius
 to multithread the Kerberos bits, but unless the freeradius
 folks accept those patches and maintain them, we likely won't
 deploy that option in production.
 

v2.1.x has gone into an unofficial feature freeze for anything not related to 
DHCP functionality. If you want this code to be included in function releases 
please submit the patches against the master branch (3.0).

If the module uses long lived connection handles, it must use the connection 
API (src/main/connection.c). rlm_rest, rlm_sql and rlm_ldap2 (still in 
development) do this already, and all modules will be updated in time.

If the patches are well formatted, documented, and non-duplicative we'll almost 
certainly accept them.

-Arran

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] FreeRADIUS performance question

[Arran Cudbard-Bell]

 Disabling the cache by default would be great. Thanks!
 
 EAP-Kerberos doesn't actually exist today as a documented spec -

Ah I guess I guess what I read wasn't an official IETF draft (it was years ago 
and I figured someone might have done something by now).

 I'm sure that's why there's no client side code. I agree that it 
 would be very nice, not only for the SSO function, but also because
 it would not be exposing the Kerberos password to the RADIUS
 servers.

Indeed.

 
 Many years ago, I tried to drum up interest in developing an
 EAP-Kerberos spec in the IETF. Ultimately, it didn't go anywhere, 
 but you can read some of the discussion in the following archived 
 thread:
 
  http://www.ietf.org/mail-archive/web/secmech/current/msg00041.html

Thanks :)

 
 2) Although freeradius is multi-threaded, the Kerberos authentication
 module is single-threaded. I believe recent versions of both
 MIT and Heimdal Kerberos libraries are threadsafe, but I don't 
 think the freeradius code has been updated for this. So the only 
 way to scale the performance of the RADIUS infrastructure is to 
 deploy more servers (they don't have to by physical, you can install
 multiple software instances on the same server if you have extra
 CPUs or cores).
 
 We currently have 8 freeradius servers running on 4 physical
 servers (2 per box). And we balance the wireless controllers
 across those.
 
 As the university I used to work at, we were handling a similar load with 
 two Xserve G5s, but we were using LDAP and not Kerberos.
 
 
 The LDAP module is multithreaded, right? That would give it an
 advantage.

Yes.

 One other mistake we made was that our RADIUS server
 hardware has many cores, but each core itself is quite slow -
 this was before we found out that the freeradius krb5 module
 was single threaded. If we'd known that earlier, we'd have instead
 purchased machines with fewer faster cores.

Additionally the control thread is also the only one that can insert packets 
into the request queue, though any worker can pick requests off it. 

 One of our staff members is also looking at patching freeradius
 to multithread the Kerberos bits, but unless the freeradius
 folks accept those patches and maintain them, we likely won't
 deploy that option in production.
 
 
 v2.1.x has gone into an unofficial feature freeze for anything not related 
 to DHCP functionality. If you want this code to be included in function 
 releases please submit the patches against the master branch (3.0).

*future releases

 Thanks! I'll pass this info along to our team!

np

-Arran
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Radius Load-balancing and Aruba

[Arran Cudbard-Bell]

On 15 May 2012, at 20:05, Michael Hulko wrote:

 
 We are attempting to create a load-balance farm of Radius servers for our 
 802.1x authentication.  The foundation is:
 
 Citrix Netscalars 9000s
 Aruba M3 controllers
 Radiator radius server (currently 3) on a Windows platform.
 
 We have been unable to successfully get authentication to work.  We are 
 getting Aruba involved, but they do not seem to have an answer yet.  
 
 Any comments/suggestions if you are already doing this or have alternatives 
 would be greatly appreciated.

Um quick check. All the RADIUS packets for an EAP session are going to the same 
RADIUS server right? 

AFAIK Radiator doesn't do EAP session state synchronisation, so you have to 
ensure the entire EAP exchange goes to a single backend server.

-Arran
**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] RADIUS Server preference for 10K+ Client Environments?

[Arran Cudbard-Bell]

+1 for FreeRADIUS ;)

-Arran

On 1 Nov 2011, at 20:19, Hector J Rios wrote:

 We've been running FreeRADIUS on freeBSD since 2008 and could not be happier. 
 We authenticate over 12K users per day. We use it only for our wireless 
 network (802.1X/MS-CHAPv2/PEAP). It's fast, it's scalable and best of all, 
 it's free!
  
 Thanks,
  
 Hector Rios
 Louisiana State University
  
  
 From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
 [mailto:WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU] On Behalf Of Lee H Badman
 Sent: Tuesday, November 01, 2011 1:25 PM
 To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
 Subject: [WIRELESS-LAN] RADIUS Server preference for 10K+ Client Environments?
  
 We’re feeling some frustration with our current RADIUS solution (ACS 5, 
 virtual appliances) that are frequently attributed to the size of our client 
 base. (At the same time, the logging and reporting on ACS is among the best 
 I’ve ever seen.)
  
 For those of you with large (10,000 + users) RADIUS deployments, what servers 
 are you using and what are your points of pain and/or appreciation?
  
 We currently only use the servers in question for wireless client support, 
 doing MS-CHAPv2/PEAP.
  
  
 Regards-
  
 Lee Badman
  
  
 Lee H. Badman
 Wireless/Network Engineer
 Information Technology and Services
 Adjunct Instructor, iSchool
 Syracuse University
 315 443-3003
  
  
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.
 ** Participation and subscription information for this EDUCAUSE 
 Constituent Group discussion list can be found at 
 http://www.educause.edu/groups/.

Arran Cudbard-Bell
a.cudba...@freeradius.org

Betelwiki, Betelwiki, Betelwiki http://wiki.freeradius.org/ !


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] iOS devices on wireless

[Arran Cudbard-Bell]

On Jun 27, 2011, at 5:27 PM, Garry Peirce wrote:

 I'd agree that the protocol should be 'fixed' here and not re-design the
 underlying network to support a particular service.
 (note that other service discovery protocols have the same issue - SSDP,
 WS-Discovery)
 To that end, I was curious if anyone had tried/is using DNS-SD (unicast) to
 support Bonjour on wireless - aka 'wide area' Bonjour , whether for static
 or dynamic services.

That would seem to make the most sense. Bonjour as a protocol works great for a 
small number of devices, or networks with fairly low rate of new connections. 
One of the nice things about Bonjour is that it will listen passively on the 
multicast address, and if another client requests all hosts for a particular 
service, it'll cache the response and not bother asking.

Unfortunately if you have lots of new clients coming on and requesting all 
hosts for a particular service, it can quickly generate large amounts of 
multicast traffic. I'm not sure there's really a better way for peer based 
service discovery, which is whats really required in the home environment. 

Wide Area Bonjour seems to be the solution. Hosts on the network can register 
themselves with a central service than can be queried by all clients on the 
network via Unicast. Instructions for setting it up are here 
http://www.dns-sd.org/ServerSetup.html;.

So the grumbling at Apple probably isn't justified. There is a solution out 
there for entrerprise networks, it just takes a bit of time and effort to set 
up.

-Arran

Arran Cudbard-Bell
a.cudba...@freeradius.org

RADIUS - Half the complexity of Diameter

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Anyone use CloudPath ?

[Arran Cudbard-Bell]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Mike,

We've been using it successfully since September, primarily with Windows 
XP,Vista,7 and Mac OSX 10.4,5,6.

The only real issues we had were getting it to work with Apache 1* and SSL 
(it'd hang attempting to download support files), but since disabling 
SSL/Moving the resources to an Apache 2 server, it's
been fine.

Were currently using it to support our Wireless WPA2/AES 802.1X authed network, 
and our Residential 802.1X authed network; using the Active X/Java Web start 
feature to launch it from a captive
registration portal.

Students/Staff/Helpdesk all love it, well worth the investment IMO.

- -Arran

On 23/11/2009 15:12, Michael Dickson wrote:
 We're considering Cloudpath XpressConnect to see if this product can
 assist with client configuration and help us achieve higher user
 adoption of our 802.1x network.
 
 Anyone using XpressConnect successfully? Do you use it for Win and Mac?
 How is pricing determined for a campus?
 
 We're offering 802.1x with TTLS/PAP/AES and use SecureW2 for our Windows
 users. Adoption rate over our captive portal SSID is going just ok. We
 are planning a large expansion project and want make getting on 802.1x
 as easy as possible.
 
 Comments, advice, complaints or horror stories appreciated. Reply to me
 directly if you prefer not to air grievances publicly.
 
 Thanks in advance,
--Mike
 
 
 Michael Dickson413.545.9639
 Network AnalystUniv. of Massachusetts Amherst
 
 
 **
 Participation and subscription information for this EDUCAUSE Constituent
 Group discussion list can be found at http://www.educause.edu/groups/.

- -- 
Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk,
Systems Administrator (AAA),
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAksKqZAACgkQcaklux5oVKLoKwCeKvQQ/6P2Wc6lK6Xqggw0EEef
PisAoIgEZkgM04CaMOVZzUGC3BZzzFGT
=T33p
-END PGP SIGNATURE-

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] Anyone use CloudPath ?

[Arran Cudbard-Bell]

On 23/11/2009 19:11, Methven, Peter J wrote:
It can reorder preferred networks to ensure the devices connect to the 
secure one in preference. I've never tried deleting networks from 
users laptops as I always worry they may object but I believe it can.
Yep definitely can. We use it to remove the association for the 
registration portal WLAN once the users done registering, and any older 
legacy networks.


-Arran

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] configuration script

[Arran Cudbard-Bell]

On 17/6/09 17:00, Lunceford, Dan wrote:

I'd love to see it.  Thanks so much for sharing.


Second that !

Cheers,
Arran

--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.

Re: [WIRELESS-LAN] configuration script

[Arran Cudbard-Bell]

Brian Beausoleil wrote:
 Perhaps a link distributed would be helpful to anyone else wanting to
 see the source code?  I know I would also like to see the code.

It'd also be very useful if it could be released under one of the open
source licenses like GPLv3. Then we can include it in our own projects
without legal ramifications.

Thanks,
Arran
 Thanks for making it available to us.


 Brian Beausoleil - Network Administrator
 Office of Information Technology
 SOUTHERN CT STATE UNIVERSITY
 beausolei...@southernct.edu
 Work:  (203) 392-6109
 Fax:  (203) 392-6711



 On 6/17/09 12:37 PM, Caroline Owens ow...@sju.edu wrote:

 Make that one more for seeing the source code...

 thanks for sharing this Chris!

 Caroline Owens
 Networking and Telecommunications
 Saint Joseph's University


 Chris Brauchli wrote:
  Here at Williams we wrote an in-house solution based on the Native
  WiFi API
 (http://msdn.microsoft.com/en-us/library/ms706556(VS.85).aspx
 http://msdn.microsoft.com/en-us/library/ms706556%28VS.85%29.aspx
  http://msdn.microsoft.com/en-us/library/ms706556%28VS.85%29.aspx
 http://msdn.microsoft.com/en-us/library/ms706556%28VS.85%29.aspx%3E)
  that is doing the job well so far. If anybody wants to see the source
  code, feel free to email me and I'l happily share it. The nice thing
  about this solution is that it deletes saved credentials and sets up
  the 802.1X network for the user. Also, since it's based on
 Microsoft's
  provided API, it's likely to continue working for a while. It
 works on
  XP SP2 with the Wireless LAN API up.
 
  Chris Brauchli
  ** Participation and subscription information for this
  EDUCAUSE Constituent Group discussion list can be found at
  http://www.educause.edu/groups/.
 

 **
 Participation and subscription information for this EDUCAUSE
 Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.

 ** Participation and subscription information for this
 EDUCAUSE Constituent Group discussion list can be found at
 http://www.educause.edu/groups/.




**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.



signature.asc
Description: OpenPGP digital signature

Re: [WIRELESS-LAN] Wireless Printers on 802.1x Network

[Arran Cudbard-Bell]

On 8/6/09 19:48, Lee H Badman wrote:

Thanks, Arran. I did pick apart a Dell 5210n this morning that looked hopeful- 
but regardless of what you configured it refused to functionally do anything 
beyond LEAP. Sigh...


Oh dear... if you're going to implement anything LEAP is *not* the one to go 
for. Suppose you've applied all the latest F/W updates etc ?

It's nice that these vendors are taking the time to implement WPA-Enterprise on 
their latest products... if only they could actually get it right.

Worst comes to the worst you could always look into wireless client bridges. 
Get them to connect on behalf of the printers then just run ethernet.

Arran




Lee H. Badman
Wireless/Network Engineer
Information Technology and Services
Syracuse University
315 443-3003

-Original Message-
From: The EDUCAUSE Wireless Issues Constituent Group Listserv 
[mailto:wireless-...@listserv.educause.edu] On Behalf Of Arran Cudbard-Bell
Sent: Monday, June 08, 2009 2:26 PM
To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU
Subject: Re: [WIRELESS-LAN] Wireless Printers on 802.1x Network

Hi Lee,


Given that we are running 802.1x PEAP w/ MS-CHAPv2, WPA/TKIP on main
prod wireless network, has anyone with same network setup found a
wireless printer that will work as a client device? Looking for real
examples of functional printers- several wireless printers look
potentially good until you go to set them up. If you know of any the
work in the real world (with 802.1x PEAP w/ MS-CHAPv2, WPA/TKIP) the
information would have great value.


Only negative information i'm afraid. Last time I checked the HP JetDirect 
supplicant was running something that claimed to be PEAPv0 (had the PEAPv0 
flag), but acted more like PEAPv1 (including full
EAP headers in the inner tunnel). Our RADIUS servers (FreeRADIUS 2.*) 
categorically refused to authenticate these devices (because of the additional 
headers in the inner tunnel), and i've heard
reports that IAS rejects them as well.

This was on wired, but the supplicant is probably the same for both wired and 
wireless interfaces (it'd make no sense implementing EAP twice).

Regards,
Arran


--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructure Services (IT Services),
E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT
DDI+FAX: +44 1273 873900 | INT: 3900
GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/groups/.